Pi-hole on Fedora has issues with SELinux

JaredBusch

@stacksofplates said in Pi-hole on Fedora has issues with SELinux:

All I did was set /var/www/html/admin to httpd_sys_content_t

And set /var/log/pi-hole.log to dnsmasq_var_log_t.

That got most things resolved as I can hit the webpage now.

chcon --type=dnsmasq_var_log_t /var/log/pihole.log
chcon --recursive --type=httpd_sys_content_t /var/www/html/admin

But after a reboot, I see this when enforcing

But the DNS service is running.

JaredBusch

I purged the audit log and rebooted.

Still this.

[root@pihole ~]# sealert -a /var/log/audit/audit.log
100% done
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing lighttpd from map access on the file /etc/lighttpd/lighttpd.conf.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that lighttpd should be allowed map access on the lighttpd.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'lighttpd' --raw | audit2allow -M my-lighttpd
# semodule -X 300 -i my-lighttpd.pp

JaredBusch

While I can run that command, I do not want to. I would prefer to find the right thing I need to change because there is no reason to install all the SELinux tools on an instance just to set a permission.

JaredBusch

tried to load the admin page and it added some more.

[root@pihole ~]# sealert -a /var/log/audit/audit.log
100% done
found 3 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing lighttpd from map access on the file /etc/lighttpd/lighttpd.conf.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that lighttpd should be allowed map access on the lighttpd.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'lighttpd' --raw | audit2allow -M my-lighttpd
# semodule -X 300 -i my-lighttpd.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:httpd_config_t:s0
Target Objects                /etc/lighttpd/lighttpd.conf [ file ]
Source                        lighttpd
Source Path                   lighttpd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           lighttpd-1.4.49-4.fc27.x86_64
Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     pihole.jaredbusch.com
Platform                      Linux pihole.jaredbusch.com
                              4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                              UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2018-04-04 00:10:27 CDT
Last Seen                     2018-04-04 00:10:27 CDT
Local ID                      c68567cd-1d33-4f99-8c8f-d185c0a0309f

Raw Audit Messages
type=AVC msg=audit(1522818627.295:87): avc:  denied  { map } for  pid=632 comm="lighttpd" path="/etc/lighttpd/lighttpd.conf" dev="dm-0" ino=17333729 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=file permissive=0


Hash: lighttpd,httpd_t,httpd_config_t,file,map

--------------------------------------------------------------------------------

SELinux is preventing sudo from using the setrlimit access on a process.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow httpd to setrlimit
Then you must tell SELinux about this by enabling the 'httpd_setrlimit' boolean.

Do
setsebool -P httpd_setrlimit 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that sudo should be allowed setrlimit access on processes labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sudo' --raw | audit2allow -M my-sudo
# semodule -X 300 -i my-sudo.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:system_r:httpd_t:s0
Target Objects                Unknown [ process ]
Source                        sudo
Source Path                   sudo
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     pihole.jaredbusch.com
Platform                      Linux pihole.jaredbusch.com
                              4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                              UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2018-04-04 00:13:30 CDT
Last Seen                     2018-04-04 00:13:30 CDT
Local ID                      8433e0d2-20ac-4b81-b135-7bcf50ca850d

Raw Audit Messages
type=AVC msg=audit(1522818810.923:196): avc:  denied  { setrlimit } for  pid=957 comm="sudo" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0


Hash: sudo,httpd_t,httpd_t,process,setrlimit

--------------------------------------------------------------------------------

SELinux is preventing sudo from using the sys_resource capability.

*****  Plugin sys_resource (37.5 confidence) suggests   **********************

If you do not want processes to require capabilities to use up all the system resources on your system;
Then you need to diagnose why your system is running out of system resources and fix the problem.

According to /usr/include/linux/capability.h, sys_resource is required to:

/* Override resource limits. Set resource limits. */
/* Override quota limits. */
/* Override reserved space on ext2 filesystem */
/* Modify data journaling mode on ext3 filesystem (uses journaling
   resources) */
/* NOTE: ext2 honors fsuid when checking for resource overrides, so
   you can override using fsuid too */
/* Override size restrictions on IPC message queues */
/* Allow more than 64hz interrupts from the real-time clock */
/* Override max number of consoles on console allocation */
/* Override max number of keymaps */

Do
fix the cause of the SYS_RESOURCE on your system.

*****  Plugin catchall_boolean (30.1 confidence) suggests   ******************

If you want to allow httpd to run stickshift
Then you must tell SELinux about this by enabling the 'httpd_run_stickshift' boolean.

Do
setsebool -P httpd_run_stickshift 1

*****  Plugin catchall_boolean (30.1 confidence) suggests   ******************

If you want to allow httpd to setrlimit
Then you must tell SELinux about this by enabling the 'httpd_setrlimit' boolean.

Do
setsebool -P httpd_setrlimit 1

*****  Plugin catchall (4.20 confidence) suggests   **************************

If you believe that sudo should have the sys_resource capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sudo' --raw | audit2allow -M my-sudo
# semodule -X 300 -i my-sudo.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:system_r:httpd_t:s0
Target Objects                Unknown [ capability ]
Source                        sudo
Source Path                   sudo
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     pihole.jaredbusch.com
Platform                      Linux pihole.jaredbusch.com
                              4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                              UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2018-04-04 00:13:30 CDT
Last Seen                     2018-04-04 00:13:30 CDT
Local ID                      95178bcd-0a0e-4a2b-80b1-d6ae2637c18e

Raw Audit Messages
type=AVC msg=audit(1522818810.928:197): avc:  denied  { sys_resource } for  pid=957 comm="sudo" capability=24  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0


Hash: sudo,httpd_t,httpd_t,capability,sys_resource

[root@pihole ~]# 

stacksofplates

I’ll have to look when I get home.

JaredBusch

@stacksofplates said in Pi-hole on Fedora has issues with SELinux:

I’ll have to look when I get home.

The two things you did make it run on reboot, just no access to the GUI.
I suspect just the log permission change lets the app itself run.

Alex Sage

Doing a fresh install now on F27 with SEL in permissive. Where is the SELinux logs stored?

black3dynamite

@aaronstuder said in Pi-hole on Fedora has issues with SELinux:

Doing a fresh install now on F27 with SEL in permissive. Where is the SELinux logs stored?

/var/log/audit/audit.log

stacksofplates

@jaredbusch said in Pi-hole on Fedora has issues with SELinux:

@stacksofplates said in Pi-hole on Fedora has issues with SELinux:

I’ll have to look when I get home.

The two things you did make it run on reboot, just no access to the GUI.
I suspect just the log permission change lets the app itself run.

Yes. I didnt' look at the gui afterwards. Just noticed it was actually able to run and allowed me to get to the admin interface.

stacksofplates

So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.

black3dynamite

@stacksofplates said in Pi-hole on Fedora has issues with SELinux:

So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.

Why not permanently set SELinux to permissive instead of using Debian?

stacksofplates

@black3dynamite said in Pi-hole on Fedora has issues with SELinux:

@stacksofplates said in Pi-hole on Fedora has issues with SELinux:

So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.

Why not permanently set SELinux to permissive instead of using Debian?

I could. I just deleted the instance and started over so I just chose debian. I don't ever log into this and just have the updates automatically done so it doesn't really matter what it is.

Alex Sage

@black3dynamite said in Pi-hole on Fedora has issues with SELinux:

@stacksofplates said in Pi-hole on Fedora has issues with SELinux:

So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.

Why not permanently set SELinux to permissive instead of using Debian?

Confirmed working on Permissive.

black3dynamite

@aaronstuder said in Pi-hole on Fedora has issues with SELinux:

@black3dynamite said in Pi-hole on Fedora has issues with SELinux:

@stacksofplates said in Pi-hole on Fedora has issues with SELinux:

So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.

Why not permanently set SELinux to permissive instead of using Debian?

Confirmed working on Permissive.

It always worked when set to permissive. I also preferred using permissive instead of disabling SELinux that way I can fix the errors later.

JaredBusch

@black3dynamite said in Pi-hole on Fedora has issues with SELinux:

@aaronstuder said in Pi-hole on Fedora has issues with SELinux:

@black3dynamite said in Pi-hole on Fedora has issues with SELinux:

@stacksofplates said in Pi-hole on Fedora has issues with SELinux:

So did a new install on Fedora 27. Still didn't work, so I just installed it on Debian.

Why not permanently set SELinux to permissive instead of using Debian?

Confirmed working on Permissive.

It always worked when set to permissive. I also preferred using permissive instead of disabling SELinux that way I can fix the errors later.

I know it works on Permissive. the point was I am trying to find what it not being liked in order to change that. I can run sealert and then do whatever it says, but that means I have to install the setroubleshoot or whatever package and I do not ever want to do that in one of my guides if I can help it because it adds a lot of packages that are only needed for this one time thing.

I have done it, but I didn't like it. I will likely have to do it again, but I won't like it then either.

black3dynamite

For some reasons flushing logs isn't working for me. It works for me when using Debian.

JaredBusch

ok back to this after 14 days and just WTF with my audit.log, it took sealert 5 minutes to parse it.

[root@pihole ~]# ls -lah /var/log/audit/audit.log
-rw-------. 1 root root 5.4M Apr 17 21:20 /var/log/audit/audit.log

JaredBusch

[root@pihole ~]# sealert -a /var/log/audit/audit.log
  0% donetype=AVC msg=audit(1522818810.923:196): avc:  denied  { setrlimit } for  pid=957 comm="sudo" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0
 
**** Invalid AVC allowed in current policy ***

type=AVC msg=audit(1522818810.928:197): avc:  denied  { sys_resource } for  pid=957 comm="sudo" capability=24  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
 
**** Invalid AVC allowed in current policy ***

 51% done'generator' object is not subscriptable
100% done
found 29 alerts in /var/log/audit/audit.log

JaredBusch

SELinux is preventing lighttpd from map access on the file /etc/lighttpd/lighttpd.conf.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that lighttpd should be allowed map access on the lighttpd.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'lighttpd' --raw | audit2allow -M my-lighttpd
# semodule -X 300 -i my-lighttpd.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:httpd_config_t:s0
Target Objects                /etc/lighttpd/lighttpd.conf [ file ]
Source                        lighttpd
Source Path                   lighttpd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           lighttpd-1.4.49-4.fc27.x86_64
Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     pihole.jaredbusch.com
Platform                      Linux pihole.jaredbusch.com
                              4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                              UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2018-04-04 00:10:27 CDT
Last Seen                     2018-04-04 00:10:27 CDT
Local ID                      7231bc1d-89a1-4c9b-afeb-e87e9fd42dba

Raw Audit Messages
type=AVC msg=audit(1522818627.295:87): avc:  denied  { map } for  pid=632 comm="lighttpd" path="/etc/lighttpd/lighttpd.conf" dev="dm-0" ino=17333729 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=file permissive=0


Hash: lighttpd,httpd_t,httpd_config_t,file,map

JaredBusch

SELinux is preventing sudo from nlmsg_relay access on the netlink_audit_socket Unknown.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow httpd to mod auth pam
Then you must tell SELinux about this by enabling the 'httpd_mod_auth_pam' boolean.

Do
setsebool -P httpd_mod_auth_pam 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that sudo should be allowed nlmsg_relay access on the Unknown netlink_audit_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sudo' --raw | audit2allow -M my-sudo
# semodule -X 300 -i my-sudo.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:system_r:httpd_t:s0
Target Objects                Unknown [ netlink_audit_socket ]
Source                        sudo
Source Path                   sudo
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-283.30.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     pihole.jaredbusch.com
Platform                      Linux pihole.jaredbusch.com
                              4.15.13-300.fc27.x86_64 #1 SMP Mon Mar 26 19:06:57
                              UTC 2018 x86_64 x86_64
Alert Count                   1446
First Seen                    2018-04-04 00:16:52 CDT
Last Seen                     2018-04-17 19:30:30 CDT
Local ID                      3ba955da-bc76-40a9-8efa-50c9728c7b3b

Raw Audit Messages
type=AVC msg=audit(1524011430.537:21859): avc:  denied  { nlmsg_relay } for  pid=11201 comm="sudo" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=netlink_audit_socket permissive=1


Hash: sudo,httpd_t,httpd_t,netlink_audit_socket,nlmsg_relay